"Um.. but when I get SP1, I want to upgrade my deployable .WIM images with the new bits. I can't do that in an offline way like I can with other updates?"

Sorry. No.

"Are you going to tell me why?"

Absolutely! You don't think I would have opened up this nasty can of worms without giving you a good explanation, did you?

"Well..."

Okay. So here's the deal**. And those of you who have experienced the SP1 installation have experienced this as well. When you do the SP1 installation, even if it's from Windows Update (when available), you're going to see your machine shutdown and restart on it's own several times. That's to be expected.

See, there's this important part of the OS known as the "servicing layer" in Windows Vista and Windows Server 2008. This is the part of the OS that allows for easy update installation with minimal disruptions, allows for an update to be applied to an offline captured image that's within a .wim file, among other things.

Well.. let's say that that servicing layer ALSO needed to be updated? What then?

"Oh.. I get it. You can't update the thing that makes the updates happen smoothly, because the thing that makes updates go smoothly is itself being updated!"

Bingo. You got it. So hopefully the news that you can't just do an offline upgrade to an image .WIM file won't be too tragic.

"So.. what do I do instead?"

You are going to have to install your image to a machine. Install the Service Pack. Then re-capture the image.

"Simple!"

Not so simple. There are additional steps that involve some cleanup once you've sysprepped your newly updated SP1 machine. Detailed steps are available in the new WAIK documentation.

"Won't I lose a valuable re-arm to my image when I apply the service pack this way?"

No. SP1 grants you an additional re-arm. We don't want you to be penalized for having to generalize a system that additional time.

Of course, the easiest way to do this all would be to get a copy pre-slipstreamed SP1 version of Windows Vista from Microsoft when it becomes available, and start with that as your new installation base. If you're not doing any other custom image management, that's definitely the easiest solution. Just add it to your own Microsoft Deployment workbench or use it to build your new images from there.

Microsoft promises that you’ll still be able to take advantage of your subscription throughout your current subscription period. If you want to start a new subscription (or renew an existing one), you have ‘til August 31, 2013 to make your purchase, and until September 30, 2013 to activate it.

“So.. where do I go to get similar features or support?”

In an e-mail I received on the subject, the author included a pretty useful grid mapping TechNet Subscription Benefits to alternative sources:

TECHNET SUBSCRIPTION BENEFIT

ALTERNATE BENEFITS – Available Today

Microsoft Software Evaluation

TechNet Evaluations: Free evaluation software with no feature limits, available for 30-180 days.

TechNet Virtual Labs: Free online testing environments, designed to be completed in 90 minutes or less, without the need to install evaluation bits locally.

MSDN Subscriptions: Paid offerings providing access to evaluation software for the duration of the subscription.

Microsoft Services: Assistance with deploying IT solutions, aligning business and IT strategy, support for IT systems, and more.

So in summary – don’t be discouraged. Evaluations are being made available to everyone. E-Learning resources are free (thanks to the MVA). Heck, you can even install the latest evaluation software on cloud-based hardware using a free Windows Azure trial. (HINT: Wanna build a test network of Windows Server 2012 R2 Preview servers? Build them in the cloud!)

So today, for the latest article in our “VMware or Microsoft?” series, I thought I’d address an area that perhaps a lot of VMware customers don’t know much about. One of the important things that we really want VMware customers to understand is that they may be paying for features or technology or high availability or virtualized storage or virtualized networking that they wouldn’t have to if they went with Microsoft’s version of the “Software Defined Data Center”. And add to this the fact that many enterprises using VMware already also own System Center; well, that means that they already own all that they need do to everything that otherwise requires the vCloud Suite and VMware’s Enterprise Plus licensing.

While I don’t have the time to write (and you won’t have patience to read through) an exhaustive list of examples, let me just pick a few key scenarios that you’re either already paying too much for, or perhaps haven’t purchased because you thought the capability was just too expensive. In each example, while I won’t list any retail prices (which are always subject to change), I’ll try and point out what versions or SKUs you would have to obtain (purchase or simply download) to gain the described benefits.

Disclaimer: VMWorld isn’t over yet, and there may be announcements around licensing changes that may make some of these points obsolete. And for your sake, I hope so.

The Hypervisor: FREE

While VMware has also has a free hypervisor, theirs is limited in what it can do. And while this week VMware announced that more capabilities will be made available to more of the purchased vSphere levels, Microsoft will never ever have to make any such announcement.

“Why?”

Because the free Hyper-V Server already does everything that Hyper-V installed under Windows Server 2012 does. It’s full-featured. No limits. No compromise. All of the scale is there, for no additional cost. And even though higher versions of vSphere 5.5 now finally support similar scale to Hyper-V, they don’t exceed what Hyper-v already does, and does for free.

Do you see anything on that list that VMware does bigger or better? At the time of this writing (the day after VMWorld’s keynote), in vSphere 5.5 they did increase the LPs to 320, memory to 4TB, and vCPUs to 64, which matches Hyper-V – but not in their free version.

Live Migration (It’s like VMotion): INCLUDED

You don’t need to buy anything just to get ultimate live portability of virtual machines. You can do live moves of running virtual machines (Live Migration), live moves of a machines storage (Storage Live Migration), and even a move of the running machine and its storage, all in one operation (“Shared-Nothing” Live Migration); even without the need for a cluster.

I know that’s not something unique to Hyper-V. VMotions have been around for a while. But unless something new is announced this week, you still have to pay something for that capability. And, there are some capabilities which, when implemented, actually override and disallow the ability to do a vMotion. (SR-IOV being just one example. Check out this vSphere 5.1 document for their entire list.) NOTE: I’m guessing that the story here gets better with vSphere 5.5, but I don’t know the details at the time of this writing. Please enlighten me in the comments if there is something new here.

With Hyper-V, we have no such limitations.

Also with Hyper-V, you can do as many simultaneous migrations of machines and storage as your hardware will allow, with no artificially imposed limits based on network capacity.

Currently the limit is up to 64 nodes supporting up to 8,000 virtual machines. And you don’t even need System Center to manage or maintain it. You can even do rolling updates of the nodes of your cluster, and the VMs will live-migrate back and forth during the process. That’s just built-in.

“But what about DRS (Distributed Resource Scheduler) and Distributed Power Management?”

Do you want to create and regularly synchronize to an offline copy of a virtual machine that you can failover to in case of an unexpected outtage or disaster? Hyper-V provides that in the box with Hyper-V Replica. And coming in Windows Server 2012 R2 and Hyper-V Server 2012 R2, you’ll have a couple of new capabilities:

Tertiary Replication – You can make a replica of the replica to yet another location (Great for hosting service providers who also want to make a replica of the replica they’re hosting for you.)

More flexible RPO (Recovery Point Objective) – Rather than just sending replica snaphots every 5 minutes, you can also choose to replicate every 15 minutes. Or every 30 seconds.

“But Kevin, VMware includes replication in all editions of vSphere, and in 5.5 they’ve made improvements in RPO and in doing point-in-time recovery with multiple recover points saved.”

Yep. Just like Hyper-V has had since 2012. They’re doing more here, definitely, which is good. But do they support Test Failovers? Do they support automation through PowerShell without some other purchased tool like SRM? Can they automatically re-IP a server that has failed over to a different IP subnet? Is it easy to “failback”? These are all things that you get for no additional cost with Hyper-V Replica.

Network Virtualization: INCLUDED

VMware announced NSX at the VMWorld Keynote. This is their solution for network virtualization / Software Defined Networking. The flexibility of defining, isolating, and applying policy to networks of machines that can be programmatically created, and giving the portability to move virtual machines around to different physical networks while the virtual networking and IP addressing of those machines never has to change – that’s all very compelling, yes?

I’d actually like to learn a little more about how NSX is implemented. Is it just a new version of their switch? If so, Microsoft also has the benefit of a virtual switch that is Extensible, not just replaceable. Other products such as firewalls, traffic control, packet filtering – these can easily be added to the switch; configured at a logical level and the applied uniformly to all switches participating in a logical network.

Can you use NSX and the Cisco Nexus 1000v at the same time? No. But with Microsoft’s extensible switch, you just add the Nexus 1000v extension, and you still have Network Virtualization.

Have you heard of Storage Spaces? Windows Server 2012 (and improved in R2) supports the ability to treat cheap disks as pools of storage. Virtualized. From the pool, you create virtual disks, which can then contain volumes.

If that volume contains a file share, you can use SMB 3 (and even better with RDMA support) to have fast, live-data support (even virtual hard disks of running machines) on that storage.

Supporting that storage, you could have a cluster of file servers who actively share access to that same share, which makes the supported files and filesystem “Continuously Available”; meaning, if a file server goes down – even if it’s the one serving access to a particular file (or running VM’s hard disk or SQL Server’s database files), you’ll never lose connectivity. (See “Scale-Out File Server for Application Data Overview” for more information.

But it gets even better. In Windows Server 2012 R2 we add the ability to automatically support tiered storage in storage pools. If you have local SSDs alongside of HDDs, go ahead and put them in the same pool. And Windows Server will automagically move the more active files to the SSDs and the less active files to the HDDs. (Yes, you can also designate that certain files must always have faster performance and should therefore be put on the SSD tier; like your VM’s hard disks.)

Automation: INCLUDED

VMware agreed with Microsoft during their VMWorld keynote when they said that automation “is the control plane for the datacenter of the future”, and that what is missing (?) is a common set of management and, importantly, automation tools for working with virtualized machines and applications – even in a hybrid cloud environment. And their solution for this is their vCloud Automation Center.

Oh.. and did you know that, with these same tools, you can also automate your configuration, deployment, management, monitoring, and reporting against vCenter-based virtualization resources too? Yes, System Center 2012 SP1 can do that, even if you want to stick with vSphere, or use Hyper-V in addition to vSphere for virtualization.

---

I could go on, but I think this is a good start.

What do you think? Are you paying too much for capabilities that should just be “included”? Have I opened your eyes at least a little bit to the idea that Microsoft has a full-featured, enterprise-ready solution? If you haven’t lately, it’s definitely time to take another look.

Many of you in the U.S. may be familiar with the Microsoft “IT Camps” that we host now and then, where we teach you some great stuff and then give you the opportunity to work with the technology through hosted hands-on lab exercises. These free in-person events have become very popular. They’re so popular, in fact, that our next of IT Camps (kicking off this week) are pretty much all filled to capacity! (This is why I don’t have a link to share on where to go to register. We’re all full!)

Beyond the fact that these labs were only for our IT Camp attendees, a sad limitation in the timing of the lab. We could only make the online versions available to you for the day of the event only, and no more. So invariably at every IT Camp I get comments that go something like this:

“Hey Kevin.. I love these labs, and I’d love to be able to do them again.”

- OR -

“Hey Kevin, I have other people at my company that would learn so much from these labs.”

- OR -

“Gosh, Kevin, I wish I could have access to these labs for more than just today.”

And each of these are usually followed by the big question:

“Do you have any instructions on how to build these lab virtual machines so that I can run them on my own hardware?”

Well.. you’re in luck! For this new set of IT Camps, and even for those of you who are unable to attend, I’ve created a Virtualization Lab Build Guide.

“A Virtualization Lab Build Guide?”

Yes. I provide easy instructions and PowerShell scripts to help you quickly spin up and configure the 5 virtual machines that are used in the Virtualization lab; the same lab that we’re doing at our IT Camps. And of course I’m also including the original lab manual; the same one that we’re handing out at our events. So once you have the machines built, you can go through the labs over and over again to your heart’s content, or quickly spin up training environments for your other co-workers.

In order to be able to run all 5 virtual machines on the same physical box, your server (or like in my case, a Hyper-V-capable spare laptop) will have to have at least 16GB of RAM and at least 200GB of free disk space.

The software required to build the virtual machines is all evaluation or free software:

Once downloaded, you just extract the “Virtualization Lab Build Guide.zip” file containing the resources, put the above software installations into the .\Base folder, and run the script that creates the virtual machines.

But I’m getting ahead of myself. Full instructions are included in the guide. Download the Lab Manuals and .ZIP file from my SkyDrive here: Virtualization Lab Build Guide

Feel free to send me any feedback or questions, either in the comments on this blog post, or through the contact function (“E-mail Blog Author”) on this blog. This is version 1.1, so I definitely expect to be fixing and improving things as I hear from you all. I sincerely hope you will make good use of these resources!

And if it is useful to you, then I’ll be doing more of these in future.

This week, as I mentioned in a previous post, I’m at the Microsoft “TechReady” conference in Seattle. We’re having some great technical training and informational sessions, as well as some inspiring keynote addresses.

Out of respect for Rory, I won’t tell you specifically what his question was or what Steve’s answer was. I’ll leave it to him (Rory OR Steve) to post it on his own blog if he chooses. (And I’ll let them link to MY blog.. because only in my wildest dreams could I maintain the readership that Rory’s blog enjoys.)

Whenever I present a live TechNet Event, I ask my audience to raise their hands if they are a TechNet subscriber. Usually about 1/2 of the audience raises their hand. Considering that this is typically a Microsoft-friendly audience, I'm a little shocked that there aren't more hands going up. The TechNet Subscription is such a great resource for IT Pros, for these reasons:

Downloadable (or delivered, if you subscribe to the disks-delivered-to-you-monthly subscription), full-version software licensed for evaluation purposes; which includes Microsoft operating systems, servers, and Office System software; all the software that IT Pros care about. Yes, these are for evaluation, testing, and training only; but they don't time-out. You can install these into a training lab, test lab, or use Virtual PC, Virtual Server, Hyper-V, or even your own downloaded evaluation copy of the latest beta or CTP or Release Candidate software! Use it to build a virtually networked playground, and play with (er.. “evaluate”, if your boss is watching) all the latest and greatest tools and technologies.

You get early access to beta versions and release candidates of new Microsoft products.

A Technical Information Library containing the articles, security updates, service packs, utilities and more - all in one convenient location.

Access to Online Concierge Chat service for live help from a Microsoft Online Assistant - to help you get the most out of your subscription.

Two (2) technical support incidents and a 20% discount on additional phone support incidents you purchase. (HINT: the savings here alone justifies the subscription cost)

Twelve free eLearning courses per year to keep your skills up to date. Just for TechNet Subscribers. (Good idea to watch the TechNet Plus Blog for details)

Unlimited Managed Newsgroup Support. Post your technical questions in over 100 public newsgroups and receive a response from an expert by next business day. It's like another free avenue into direct technical support from Microsoft!

For new subscriptions, from now until March 31, 2010, you can save 28% on the TechNet Plus Direct subscription. What would have cost you $349 will now only cost $251.28.

"That's nearly $100!"

Bingo!

"Is this worldwide, or U.S. only, or what?"

This is for residents of the U.S. only.

“Why new subscriptions only? Why not a discount renewals?”

Renewals are already automatically discounted, even more than you get with this code. Besides.. we’re honestly trying to promote TechNet Subscriptionsto those who haven’t yet benefited from it. We’re pretty confident that if you try it, you’ll see enough value in it to renew your subscription.

Write down or copy this promotion code to your clipboard: TNITE04 (That's zero-four. Not the letter O.)

Bill Steele says that prices are down to $2.33 where he lives. They’re actually down to around $2.21 near me, after hitting $3.00 only about 2 months ago.

We complain so much in the U.S., because to us, these are still very high prices compared to what they were earlier this year. But compared to the rest of the world, we’re still getting our gas really cheap.

Now someone please tell me why we have to deal with all of this up-and-down prices nonsense…. I have yet to hear a good, believable explanation.

I have never been one to go for conspiracy theories. I don’t think that there’s some central organization that is setting gasoline prices at artificially high levels, or running the world’s economy because they are under the direction of aliens who want to maintain the appearance of all of us being able to determine our own fates. However, recent events are causing me to suspect that certain industries may in fact LIE to their customers in order to save a few $’s.

Here’s my story. Monday, two days ago, found me traveling to Peoria, IL from Minneapolis. I have one stop in Chicago. I’m traveling on [Airline Name Deleted] Airlines.

Anyway, the flight from Minneapolis to Chicago was just fine. No concerns. So now I’m waiting my flight to Peoria. “Hmm… I don’t see a plane out there.”… not usually a good sign. But soon an announcement of my plane’s delayed arrival from somewhere else leads me to believe that there is hope.

However… many minutes later, after the plane has emptied, there is announcement that they are “working on a mechanical issue” and that they “would let [us] know in 30 minutes what the status is.” Uh oh…

30 minutes pass. True to her word, here’s the announcement. “We’re sorry, but the flight has been cancelled. The rest of our flights to Peoria are pretty full today. Come to the desk and we’ll give you some options.”

The options were: Risk standby on [Truly Aggravating] Airlines or some other airline, take a bus voucher for a 3–3/4 hour ride, or let them put me in a hotel for the evening and take a flight tomorrow.

Hmm… well, the flight tomorrow wasn’t an option. Tomorrow is why I’m going to Peoria. My briefing attendees won’t sit there waiting for me to arrive on the morning flight. And it was being said that the standby option probably wasn’t going to work because those flights had been sold full, too. So I guess that will be one bus voucher for me. Thanks.

“Oh, and sir… the next bus leaves in 10 minutes.. so I don’t think you’ll make it, but you can try. Go and collect your bag at carousel ten.”

Cool. Go get my bag. I walk briskly to carousel 10 (which is a LONG walk. Any walk in O’Hare is a long walk.) C’mon bag!

So I waited. And watched. And counted the minutes. And watched the 3:00pm bus departure time come and go… but still no bag. Frustrated, as you can imagine, I went to the luggage claim desk. The “friendly” woman there informed me that my bag is on it’s way to Peoria on one of the later, “full” flights, so I should get it from the Peoria airport when I get there.

Anyway… I go to the bus terminal. Yes indeed, I missed the 3:00 bus by 10 minutes. And I found out that the next one departs at 7:00pm! <sigh> well… I got nothing but time (and a heavy laptop bag), so I head back to the terminal figuring, “I’ve got the bus ticket. There’s no harm in going to the [Stupid] Airlines ticket counter and asking if there were please-oh-please some other option.”

One the way to the ticket agent, I decided that I might just double-check the baggage-claim-carousel-from-hell to see if my bag might have suddenly appeared. Guess what?! A miracle! My bag was there, going ‘round in circles! Lesson learned: Never trust what [*@!*$#!] Airlines employees tell you – especially when their stories don’t match.

Somewhat relieved that I had at least claimed my week’s belongings, I head to the ticket counter and explain my exasperation. (I was really polite. Seriously. More polite than they deserved, which is ALWAYS a good thing.) Unfortunately my exasperation or even my most polite smile couldn’t coax all the clickety-clacking on her circa 1976 keyboard to find me a flight to Peoria this evening, on any airline. I said, “Well.. then can you get me a one-way rental car?”

“Nope. We don’t do rental cars.”

[smiling, mostly] “Can I have a second opinion?”

“I’ll get the supervisor.”

“Great. You to that.”

Several minutes pass… and finally an obviously overworked supervisor du jour comes over. “How can I be of assistance?”

<gasp> “Okaaaaay…. What do you recommend I do that won’t mean I have to sit around here for four hours and then another three-and-a-half hours on a bus?”

“I can give you this $5 voucher for a snack.”

<bigger gasp> “Um… (still smiling politely, but feel like I’m talking through gritted teeth..) Unless you know of a cab driver who will accept a $5 snack voucher in exchange for a trip to Peoria, this is not going to help much.”

“I’m sorry sir. That’s all I can do. Well… actually, I can also give you this $10 voucher for dinner. But that’s really all I can do.”

“ummm… <sigh> I guess I’m traveling by bus then. Thank you.” (See? I am way too polite. Thinking about it later, I’m kicking myself that I thanked them for so little.)

So off I go, big bag and heavy laptop bag and all, back over to the bus terminal. On the way I use my “$5” to buy $4.85 worth of coffee and bottled water at a Starbuck’s kiosk. (“Can’t give you change, Mr. Customer Sir. Not for a voucher.”) And then at the bus terminal I use my $10 to buy about $8.50 worth of Uno’s pizza and a Snapple. (“Can’t give you change, mack. Not for a voucher.”)

Well…to cut to the end of this Monday saga; I catch the bus. And because I’m going to the Peoria airport on a voucher, I have to be the very last stop. (“Gotta do the regular route first, buddy. You’ve only got a voucher.”) Rental car folks kept their word, though… they were there waiting for me to arrive, even after their closing time. Big points for Avis. They do “try harder” when it means some nice lady waits around an extra half hour late in the evening just for little ol’ me. Very nice!

Is that the end of my story? NO! Tuesday night I leave our event (Had a great time! Thanks again, Peoria!) and head to the airport. Check the bag. Head to the gate. Board says it’s still on time. Cool. Head to the wash room. And just as I’m washing my hands, I hear the announcement. “Flight #xyz from arriving from Chicago has been cancelled. Because of this, flight #abc, the flight that Kevin A. Remde is on, has been cancelled.”

I’m sure many people in the terminal heard the echoed “NOOOoooooooo!” emanating from the Men’s room.

Unbelievable. So… back to the ticket counter, where they put me on a later flight on yet-another-but-obviously-more-reliable airline. Fortunately, and thankfully, I actually SEE them hand my bag from one company to the other… and this new flight to Chicago goes just wonderfully – made better by the fact that one of my coworkers was also on the flight, so we each had someone to talk to.

—

So where does this leave me? I’m sitting here writing this, on Wednesday afternoon, at O’Hare gate G7 (oooh.. that may have given away the Airline. <heh>), having had two days prior of cancelled flights. I’m waiting for a plane to arrive at the gate that will take me to Madison, Wisconsin. It’s not here yet. Hmmm…

And as you can imagine, I’m wondering… will it happen again? Is it true that “bad things come in 3’s”, or will it be “the third time’s the charm”? And did [really frustrating] Airlines make money on Monday when they cancelled my flight, because it only cost them $45 for a $30 bus ticket and $15 (really $13.35)

So I’m also wondering: Maybe they lied. <gasp!> Conspiracy! Could it be?! Maybe “mechanical problems” sometimes is just code for “in this case we think we can save some big bucks by making you all make other arrangements and we’re willing to risk pissing you off because we know right now you have no other options so just shut up and take this voucher [forced smile]”.

There is something I’m not wondering, however. In fact, I’m absolutely certain… Unless I get some satisfaction from them in the form of at LEAST a letter of apology, I will NOT be traveling on [Poopy-Pants] Airlines ever again if I can help it.

Active Directory. You know it. You love it. You’ve loved it since it made its introduction back in Windows 2000 Server. Over 90 percent of the world’s business IT relies on Active Directory for local user and machine management, authentication, policy application, and directory services.

And with every new version of a Windows Server product, we make improvements and add new functionality that either directly impacts Active Directory, or indirectly impacts (read: enables) other new functionality on behalf of your users, applications, and managed resources. So naturally we couldn’t do a series of “Why Windows Server 2012 R2” articles without discussing it.

“One of the most prevalent IT industry trends at the moment is the proliferation of consumer devices in the workplace. Employees and partners want to access protected corporate data from their personal devices, from checking email to the consumption of advanced business applications. IT administrators in organizations, while wanting to enable this level of productivity, would like to continue to ensure that they can manage risk and govern the use of corporate resources.”

To support this notion of giving our employees the ability to get their work done from their personal devices, of course there has been new functionality added to Active Directory to support it. But before I get ahead of myself, why don’t I list out the 4 key value propositions – the main things you get that are new, and enabled by new capabilities in Active Directory:

Workplace Join – Allow a user to associate their personal device with the company directory

Single Sign-On from those devices now associated with the directory, granting them access to corporate data and applications

Securely authenticate for and connect to company applications and data from anywhere (with an Internet connection), and

Manage the risk of those users who work from and access data from anywhere.

NOTE: These each are very big topics in their own right. So, rather than doing an exhaustive write-up on each one, I’ll summarize the capabilities and benefits here, point out what specifically has changed in Active Directory to support it, and then point you to more complete documentation and user guides for further study if you wish.

Join the Workplace

What is it?

As a company employee who has his/her own device, and with the blessing of the company I work for (who is really interested in allowing me to be mobile and productive on whatever device I have), I want to be able to get stuff done. So I will “join” my device to the “workplace”.

“Isn’t that like joining the domain?”

Yes. Well, sort of. But more correctly, NO. It’s not going to be a domain-joined device in the way that we’ve been managing devices since Windows NT. In this case, we’re registering the device with the domain so that it (and its owner) will be trusted when requesting and running company-secured applications, accessing company-secured data, or otherwise accessing company-secured resources. When you join a device to the workplace, it becomes “a known device and will provide seamless second factor authentication and single-sign-on to workplace resources and applications.” And once the device is “known”, IT can leverage that knowledge to also apply additional configurations (example: pushing company VPN connection settings to the device).

What changed in AD to support it?

The main change here was the addition of the Device Registration Service. The DRS, which is a new part of the Active Directory Federation (ADFS) role, creates a device object in Active Directory, and tracks the associated device’s certificate in order to represent the device’s identity.

Here’s a simple scenario: You have a device that you’re using to connect to a company SharePoint server. You’ve registered your device with the company (“workplace join”), so your device has a certificate that is known to the directory as being yours; an employee in good standing. Without SSO, you would be prompted for a login with every application or company SharePoint server you try to access. But with SSO, you will only be asked one time.

What changed in AD to support it?

In addition to the Device Registration Service, the Active Directory Federation (ADFS) role allows claims-based authentication to occur based on trusted certificates. Once the user is authenticated (username + password + trusted device + other factors as needed), the claim then is trusted and, while valid, can be used to launch company applications or access company data.

Well.. it’s not just enough to be able to sign in once on my non-domain-joined, personal device. I also want to be able to use it from anywhere. With nothing more than an internet connection, I should be able to have authenticated, secured access to my company applications data; whether they’re hosted in public cloud locations or on the private corporate network.

What changed in AD to support it?

The Web Application Proxy is a new role service; a new part of the Remote Access role. Web Application Proxy “provides reverse proxy functionality for web applications inside your corporate network to allow users on any device to access them from outside the corporate network. Web Application Proxy preauthenticates access to web applications using Active Directory Federation Services (AD FS), and also functions as an AD FS proxy.“

So, now armed with SSO (facilitated through ADFS), the authenticated user + device can access applications on the corporate network without having to use a VPN connection.

In the end, who are we really trusting? We have users who have user accounts with passwords in Active Directory. They also registered their device in Active Directory so that we know we can trust it, and the user. Hmm.. that’s two things that we’re trusting. Is this what we might call “second factor authentication”?

The idea here is that Microsoft has expanded Active Directory in Windows Server 2012 R2 to support tracking devices that are “registered” (not joined) to the domain. With those trusted devices we have further technology to grant authenticated access to our trusted users; even using multiple forms of information (multifactor authentication) to grant secured access to applications and data. We allow users to sign-in one time and continue to have access to multiple apps and resources, from wherever they are (thank you ADFS). And we even have a Web Application Proxy to allow that trusted access directly to internal resources as well.

What do you think? Is Microsoft doing the right thing to add support in Active Directory and supporting technologies to allow any user, any device, from anywhere to be able to get work done? Please add to the comments if you have an opinion, a question, or any sort of off-the-wall comment.

For those of you who may not be familiar with it, you have the ability to set up a federated identity relationship between your local Active Directory and your Office 365 authentication. In this way, your people, simply logging in with their local domain accounts, are able to be automatically authenticated against Office 365, because Office 365’s use of Windows Azure Active Directory, and you have the ability to set up an ADFS relationship between the authentication in Office 365 and your company’s Active Directory domain. So, you manage one set of user accounts locally, just like you always have, and Office 365 can grant access based on the “claim” that the user account is known and valid. Your client (laptop, tablet, or other mobile device) gets the claim from your Active Directory (preferably by accessing an ADFS Proxy in your company’s perimeter network), and then passes that acquired claim up to Office 365.

In short – Your users are either already authenticated, or just have to set up the authentication parameters one time for their use of the cloud-based services such as Office 365, Windows InTune, or other such services.

So this is great. No matter where I am, or where my people are in the world, they can use their domain account and local profile and just open up Outlook or access the cloud-based SharePoint or their SkyDrive Pro storage, and they’re authenticated. And even if they’re using a non-domain machine or a mobile device, they’ll use the same company credentials they’re already familiar with to connect to their company e-mail or other resources.

The Problem: I’m outside the office, and the connection to my ADFS Proxy is unavailable. What happens then?

“Yeah.. what happens then?!”

I’ll tell you what happens then. It’s a problem, because, your device needs to get to the ADFS (STS) proxy to verify that you are who you say you are, and to give you the claim token that is passed up to Office 365. If it is unavailable, then your users can’t be trusted by their cloud-based resources. Outlook won’t be able to connect to the Office 365 Exchange server. Yeah.. a big problem. That’s why so much documentation (and even the promise of Microsoft support) is devoted to the configuration of a load-balanced farm of servers to keep that proxy service high-performing and highly available.

Granted, it’s an even bigger problem for the people who are sitting in that office. Presumably they can’t access the Internet at all. So assuming that your company, like most others, is becoming more and more dependent upon that Internet connection being live in order to get their work done, you’ve probably already addressed alternatives. And many people nowadays have multiple personal paths to the Internet that would restore some amount of personal access. But that doesn’t fix their problem of not being able to get Outlook to connect.

The Solution: Put a copy of your domain in “the cloud”!

Think about it: If I have a replicated copy of my domain up on a virtual machine running in Windows Azure, then that domain controller can also serve as the trusted location where Office 365 and the ADFS trust can be connected!

“Sounds like an interesting idea. But what if I don’t want a copy of my domain up in the cloud?”

Then another option would be to Windows Azure virtual machines as your ADFS Proxies. Basically think of Windows Azure as an alternative to (or an extension of) your Perimeter network (DMZ). Of course in this case if the availability of your home datacenter goes down, you’re still going to have authentication issues.

Here’s a thought: Do both! Have an AD site up in Windows Azure, with a secured/authenticated/encrypted connection back to the corporate network. And then build an externally available, load-balanced set of machines in a separate “perimeter” network in Windows Azure as well. In this way, even if your connection back to your main office and the local AD DCs goes down, you still have AD authentication available “locally” within your Windows Azure subscription.

I need to let you know some GREAT news I’ve heard. As many of you I’m sure experienced, the demand for the public Windows 7 beta was enormous. So much so that it overwhelmed the servers for many of our external sites. Of course, with such great demand, there’s a good chance we’ll quickly reach the 2.5 million download limit. In fact, it was probably the public knowledge of that limit that caused such a great rush of activity for trying to get the bits before it they were no longer available.

Good news: They’ve temporarily removed the limit. You can read about it here on the Windows Blog. Basically what we’re doing is allowing as many downloads as can happen between now and through the 24th of January, 2009. Then at that point, if we haven’t reached 2.5 million, we’ll continue to allow downloads until the limit is reached. However, the more likely scenario is that we will surpass 2.5 million downloads, and so the beta downloads will be stopped after the 24th.

“So what do you recommend, Kevin?”

It’s nice that I don’t have to tell you to hurry to get it, because you have two weeks to get it. But I do recommend you get it, try it out (on a machine that isn’t critical to your productivity), and give us feedback. (Hey.. if you’re running an edition of Vista that has the “Complete PC Backup” tool, you should USE IT. Get a big-enough USB drive and do the backup before you do the upgrade or install…,so you can restore the system if you need to. That’s what I’ve been doing. Fortunately I haven’t had to restore anything yet.)

“Should I wait for Windows 7 instead of deploying Vista?”

That’s the billion dollar question these days, isn’t it.

My opinion on that: Absolutely do not wait for Windows 7. Deploy Vista. (with Software Assurance) Sure, I’m loving Windows 7 and some of the new UI features, but the overwhelming step-up between XP and Vista is still such a huge advantage in productivity, reliability, performance, security, manageability, etc. If you really learn these benefits and how they save you time and frustration (and that means MONEY), you shouldn’t have much trouble cost-justifying the rollout. I sincerely believe** that.

So.. sure Windows 7 has some nice new navigation and a few less times UAC pops up.. but it’s just not the same big change. Windows Vista is the way to go, even if you only consider it the stepping stone to Windows 7. You are very unlikely to have any compatibility or hardware driver issues moving from Windows Vista to Windows 7.

“Are you going to install it on your day-to-day production laptop?”

My Lenovo T61p? I’m very tempted. Very very tempted. So far it’s working great on both my VPC hosting machine (as I blogged earlier) as well as my family’s main shared kitchen-table laptop. I may be installing it tonight on my Media Center computer; provided nobody in my family has any important TV recordings they don’t want me to interrupt, of course. And the next logical installation will indeed be my work machine here.

“What’s your hesitation?”

Same as anyone else’s when it comes to the slightest potential for lost productivity. It’s beta, after-all. I’m more willing to jump into the latest-and-greatest than most people, because I know I have the ability to jump back if I need to.. and also because it’s un-written duty as a Microsoft employee to “eat the dogfood”. And primarily because then I can speak and blog more intelligently about what I’ve experienced first-hand.

Soon. Very soon.

----

**If you don’t believe me, then put a comment on this blog post. Seriously, I’ll answer your questions or give you suggestions on how to look at making the justifications to your boss (or to yourself).

The first two editions on the list are for PCs/Desktops/Laptops that have the Intel and AMD CPUs. They will still come as 32-bit and 64-bit operating systems. Plain “Windows 8” is the consumer edition. “Windows 8 Pro” is the edition for business and for tech enthusiasts.

The third one, “Windows RT”, is the new version that will ship pre-installed on ARM-based PCs and tablets. It’s the version that was formerly referred to as Windows-on-ARM or WOA.

“This all sounds great. It’s certainly much less confusing. But what features or applications are available in these? How do they compare?”

Oh.. one more thing. Now it’s official: The product is called “Windows 8”. Go figure.

Also -

“NOTE: As with previous versions of Windows, we will also have an edition of Windows 8 specifically for those enterprise customers with Software Assurance agreements. Windows 8 Enterprise includes all the features of Windows 8 Pro plus features for IT organization that enable PC management and deployment, advanced security, virtualization, new mobility scenarios, and much more.”

So I guess if you count Windows 8 Enterprise edition, there are actually 4 SKUs. But who's counting?

---

What do you think? Do you like this move? Does it make sense? Share your rants in the comments, please.

This question was asked recently of our team, and it was just interesting enough of a question to see if someone reading this blog might like to play with this scenario on their own.

Yes.. you are finally being encouraged to “try this at home”.

Here’s the question: Can you create a virtual machine Windows Server 2003 guest being hosted in a Windows XP Virtual PC installation, and make the host XP machine a member of a domain running on the Windows 2003 Server?

Hint: Some have suggested to use a loopback adapter installed on the XP machine as the common link between them… although I don’t see why the physical adapter on on the XP machine wouldn’t work just as well.

It was discussed by a few people who said it couldn’t be done, but I’m not so sure. And before I tried it I thought I’d toss it out here and see if someone wants to give it a whirl and share their experience with us.

Yeah… I’ve been rather delinquent in my blog postings of late. I really enjoyed some scaled-back work-time over the holidays. No… I didn’t take vacation. But I did spend more time with my family. I spent my working hours working on content for this new quarter of TechNet Events, and what time I may have given to blogging was spent playing with kids and assembling their new toys.

“Why the XBOX logo? Did you break down and get your kids the Xbox 360?”

Well… I said I wasn’t going to – mainly because I didn’t think they wanted one so bad until the day before they went on sale. So I was resigned to the fact that it would be nearly impossible to find one, and I told the kids that they shouldn’t expect one because of that. However… thanks to a spouse’s cousin’s eldest son who happens to work at a major electronics merchandiser across town, I was able to get one of a shipment of five that happened to arrive the week before Christmas. (Thanks again, Terry!)

“So what are you doing now?”

Well.. we’ve got some great content coming to you in our live events, so I’m excited about that. And I’ll be doing a couple of webcasts on Securing your Exchange Servers in a couple of weeks. But tomorrow I get on a plane and head to Seattle for a week of “TechReady”, which is an employee-only training conference for technical people like me “in the field” for Microsoft. I’m excited to get in-depth with what’s coming in Exchange 12, Office 12, Vista, and who knows what other new stuff coming even farther into the future.

By the way… do you like my new interactive photo on the left? Yep. Kevin’s been getting fancy with the HTML!

[Insert an even more annoyingly-loud buzzer sound indicating a wrong answer here]

Wrong! It is installed UNDER Windows Server. (And that’s just one option. More about that in a sec.) When you enable the Hyper-V Role on Windows Server, it inserts the hypervisor between the hardware and the host operating system; actually changing the host operating system into just another “Partition” – the operating system running on virtualization that has highest priority and control of the hardware, and the OS you see when you look at the console. But architecturally, it’s actually running on top of the hypervisor. And any virtual machines you host are “child partitions”.

Hello out there all of you virtualization fans!… all of you datacenter supermen and superwomen!… all of you who get excited when skillfully and elegantly applied information technology makes your work lives and the work lives of the people you support – and the businesses you provide value to - just so much better!

Exactly. Except that instead of one week, it’s six weeks long. And instead of sharks, it’s virtualization platform and management comparisons. But in terms of ferocity, well.. they’re exactly the same. (Minus the sharp teeth and all of that violence, of course.) What we want to do during these six weeks is to dispel some of the myths and misinformation that is out there. In this series we promise to provide you with articles that are rich in technical detail, proving that Hyper-V and System Center 2012 are the best choice for virtualization and serving up applications; whether your “clouds" are local, in the public cloud, at a hosting provider, or a combination of any of those.

We also promise that, if we’re discussing an area where VMware simply has a better solution, or has a technology that Microsoft can’t match, we’ll acknowledge it honestly. We know that, as Microsoft employees (and especially as a bunch of folks who hold the title of “Evangelists”), we automatically are seen as impartial. And let’s face it: We are. (smile) But we’re also confident enough in the products and the company that we represent to be able to just tell it like it is. And we expect (and hope) that if you find something that should be corrected, that you’ll inform us of it in the comments on our blogs. That’s what the comments are for, and we sincerely anticipate and appreciate all open and respectful discussion.

“Do you have a list of topics created?”

Yes, we do have a list. But it’s definitely subject to change. It’s no secret, and certainly no accident, that this series will be happening over the week when VMware will be holding their VMWorld conference. So we know that our list might change drastically during that week as a result of the announcements and improvements that VMware will most certainly make. They might even catch up to or surpass Microsoft in some areas where we currently hold the advantage. In that light, we also reserve the right to discuss some improvements and new technologies soon to come in Windows Server 2012 R2 and System Center 2012 R2. (<— HINT: Click those links to download the previews of each of these.)

So.. watch our blogs, watch the series landing page, and get ready to be on the very edge of your swively office chair as you witness the carnage competition about to unfold…

Today finds me sitting in a hotel room in Green Bay, Wisconsin. It’s getting cold outside, so sitting in here doing work in a quiet location is quite enjoyable. And as you see from the number of blog posts I’ve made today, I’ve been quite productive.

One of my tasks today was also to work on an RSS talk I’m going to give to anyone on my team who wants to listen. I volunteered to lead some informal internal training on the subject, since the multiple and powerful uses of RSS is a subject I’m passionate about.

In fact, check out what the weather is doing outside my hotel room now(click to enlarge).

Personally, I use SharpReader. I like being able to set up my subscriptions in a folder heirarchy that lets me view and work with either individual blogs or sources, or higher level folders (and all items contained within). I might start playing with Bloglines, though… or some other online reader, mainly because I would like to have the same list and view of read/unread items whether at my desk, on my mobile phone, or any other Internet-connected computer.

What do you use? How did you receive this post? And how are you reading it now – on the blog directly, or via some reader?

Well, the best way of course is a TechNet Plus subscription. That will include having betas sent directly to you. But another way to keep tabs on what is new and available is to subscribe to the TechNet Flash e-mail newsletter. This page here gives you the details and steps to take for signing up, so you’ll get the word when a new beta or CTP (Community Technology Preview) is available for you.

And.. I don’t think I will get in trouble telling you this - but I’m running an “escrow build” – a build that is in it’s final stages of being tested for beta release – of Windows Vista Beta 2. It’s “flippin’ sweeet!”

Now, like Virtual Server 2005 R2, you can download and use Virtual PC 2004 (SP1 version) for free.

“No way.”

Way. But I understand your disbelief. That’s what I said when I heard the news late yesterday. And by the time you read this it will be true.

[I see the VirtualPC home page is already announcing it prior to the official 9:00am PST launch time, so I will insert the Microsoft PressPass Link here when it’s live.]

“Awesome!”

And it gets better.

“There’s more?”

Yep. We’re announcing that the next version of Virtual PC (2007) will be free also. So now you folks looking to use Virtual PC Express (the limited version that was going to come as a part of Windows Vista Enterprise) will be able to use the full-blown Virtual PC product instead… and with an additional benefit. If you’ve purchased Windows Vista Enterprise, you are now allowed to run 4 additional copies of Windows Vista Enterprise guests on your Windows Vista Enterprise host. So whereas previously you would have had to buy those licenses for your guest machines; now they’re INCLUDED, as long as your host is Windows Vista Enterprise edition. And that’s also true if you’ve purchased Windows Vista Ultimate edition with SA (Software Assurance).

“But I suppose I can’t run those additional licenses if I’m using VMWare or some other product, right?”

Wrong. But I’m not surprised you would think that. This is a little confusing to a lot of people who assume Microsoft is trying to use this to push it’s own virtualization stack.

So here it is in a nutshell: The licensing benefit isn’t tied to the virtualization technology you’re using, but to the OS version you’ve purchased.

So that means that, yes, you will have the right to run 4 additional copies of Windows Vista Enterprise edition on top of your Windows Vista Enterprise desktop, laptop, or tablet, and you WILL NOT have to be using Virtual PC to do it.

“So – What happens to Virtual PC Express?”

It is gone. There’s now no longer any need for it. Virtual PC does all of what Express was going to do, and more. And did I mention that it’s free?

“When can I get Virtual PC 2007? And what will it do that 2004 doesn’t?”

It’ll be out in the first part of 2007, and include being able to run it on a 64–bit host machine. There are also said to be performance and virtualized memory-allocation improvements.

And it’s free.

—

Here’s the thing that I think is the most interesting about this change (other than it’s just very good news for virtualization as a whole): Microsoft is once again reacting to the great competition that is out there. One of the big value propositions of Windows Vista Enterprise was that it included the virtualization (VPC Express) needed for the sake of application compatibility scenarios, among others. But other virtualization products are out there now that are free and would do the same or more, so the “perceived value” of Windows Vista Enterprise took a big hit.

So now that we’re giving the full Virtual PC away for free, and we’re including the additional licensing perks for Windows Vista Enterprise, it again becomes a very valuable reason to go there in the enterprise.

Okay.. you're an IT Pro. (If you're not, you're still welcome to keep reading.) And you're tired of feeling alone in the world. But you know that there must be some others out there like you - dealing with the same issues and same technologies; just dying to show of some new script or tool or best-practice you've discovered or developed. So you're looking for a place to go for networking with others.

Look no further.

Aggreg8 is a site for IT Pros to mix-n-mingle. It's like a "MySpace" (or a Windows Live Spaces) for IT Pros, complete with working groups on various topics that IT Pros get excited about. You can setup a profile, join groups, enter posts, add favorites, share content, mix, mingle, and learn.

"How do I get started?"

Just go to http://aggreg8.net. If you don't have one already, you'll need a PassPort account to use for your authentication there, but once you're in, you can build your profile and upload your picture (or whatever Avatar you choose), and get networking!

We learned and are learning so much from your fresh installs, your upgrades, etc. And we will learn even more as you get and install the RC. But…

The path from Beta to RC can not be supported as an in-place upgrade.

“HUH?! I wanna take my beta and just upgrade! Are you saying I can’t?”

I want to do that, too. And no, I’m not saying you can’t. (Actually, you can’t, unless you do a tweak to an installation file – more about that below.) But it’s not a scenario that Microsoft is building Windows 7 to support. Think about it.. Do we really want to spend the extra effort (and days or weeks delay in releasing the product) to fully test a scenario, with all of the smallest details of every file and every setting and potential configuration, that once the product is released, nobody will need? The real world isn’t full of people upgrading from Beta to RC. The purpose of betas and RCs is to completely test the real-world kinds of upgrades and deployments. It doesn’t help anyone to have to report, track down, and fix a bug relating to the Beta-to-RC path.

“So… what is Microsoft recommending?”

As the post says, the recommend paths – the ones that will help all of us best to improve the product - is to either restore your previous XP, Vista or Vista SP1 installation and then upgrade to RC, or to do a fresh installation of the RC.

The good news is this: If you really really really need to keep your beta configuration and want to do an upgrade to RC, you’ll be able to do it with a documented tweak to the cversion.ini file on the source installation disk. (See the blog post for the full details on what needs to be done.)

Believe me. Many people at Microsoft have been debating this issue passionately. This is what we wanted to hear, and know that you’d prefer a supported upgrade path. We’re all in this together. I did an upgrade of not only my day-to-day production machine that I’m on now, but also my family’s laptop and my family Media Center. Am I happy about this? Absolutely not. But like I said.. if you think about it, it does make sense. (And anyway, a fresh install on my Media Center may get rid of one particularly annoying issue I’ve got with my Zune software not seeing the new TV files they way it should. I’ll just have to make sure DRM on my recorded TV files will not be lost. Got any hints on how I’ll do that?)

“So what are you going to do, Kevin?”

For the RC, I’m going to be relying on backups (Windows Easy Transfer) and doing re-configuration on top of a fresh install for my family laptop. And I’ll investigate the Media Center options I have and get back to you.

Okay.. let ‘er rip. Tell me what you think. Don’t hold back. If your complaints are well-thought-out and constructive, I’ll share them with the product team. But in any case, feel free to comment/rant/complain/yell/etc.